From 428cdcb731cb3bc40aa6a49613f86c9530222260 Mon Sep 17 00:00:00 2001 From: Matias Barcenas Date: Sat, 17 Mar 2018 13:53:48 -0500 Subject: [PATCH 1/5] Fixed interface loading bug & enabled resuming option. --- attacks/Handshake Snooper/attack.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/attacks/Handshake Snooper/attack.sh b/attacks/Handshake Snooper/attack.sh index 4c3e688..540d1bf 100755 --- a/attacks/Handshake Snooper/attack.sh +++ b/attacks/Handshake Snooper/attack.sh @@ -428,7 +428,7 @@ prep_attack() { # Attempt loading configuration if one is available. # TODO: Enable this by removing extraneous " -a ! " when properly implemented. - if [ -f "$attackPath/attack.conf" -a ! ]; then + if [ -f "$attackPath/attack.conf" ]; then local choice=${1:+Y} # TODO: This doesn't translate choices to the selected language. while ! echo "$choice" | grep -q "^[ynYN]$" &> /dev/null; do @@ -442,7 +442,7 @@ prep_attack() { readarray -t configuration < <(more "$attackPath/attack.conf") HandshakeSnooperDeauthenticatorIdentifier=${configuration[0]} - HandshakeSnooperJammerInterface=${configuration[1]} + HandshakeSnooperUninitializedJammerInterface=${configuration[1]} HandshakeSnooperVerifierIdentifier=${configuration[2]} HandshakeSnooperVerifierInterval=${configuration[3]} HandshakeSnooperVerifierSynchronicity=${configuration[4]} From 147147b631f5d3d6a6c2fb08b93ad9eea194ca0a Mon Sep 17 00:00:00 2001 From: Matias Barcenas Date: Sun, 22 Apr 2018 22:16:37 -0500 Subject: [PATCH 2/5] Handshake Snooper target tracking implemented. --- attacks/Handshake Snooper/attack.sh | 66 +++++++++++++---------------- fluxion.sh | 45 ++++++++++++++++++-- 2 files changed, 71 insertions(+), 40 deletions(-) diff --git a/attacks/Handshake Snooper/attack.sh b/attacks/Handshake Snooper/attack.sh index 540d1bf..4788292 100755 --- a/attacks/Handshake Snooper/attack.sh +++ b/attacks/Handshake Snooper/attack.sh @@ -224,6 +224,7 @@ handshake_snooper_set_deauthenticator_identifier() { handshake_snooper_unset_jammer_interface() { if [ ! "$HandshakeSnooperJammerInterface" ]; then return 1; fi HandshakeSnooperJammerInterface="" + HandshakeSnooperJammerInterfaceOriginal="" # Check if we're automatically selecting the interface & skip # this one if so to take the user back properly. @@ -238,19 +239,18 @@ handshake_snooper_set_jammer_interface() { #if [ "$HandshakeSnooperDeauthenticatorIdentifier" = \ # "$HandshakeSnooperMonitorMethodOption" ]; then return 0; fi - if [ ! "$HandshakeSnooperUninitializedJammerInterface" ]; then + if [ ! "$HandshakeSnooperJammerInterfaceOriginal" ]; then echo "Running get jammer interface." > $FLUXIONOutputDevice if ! fluxion_get_interface attack_targetting_interfaces \ "$HandshakeSnooperJammerInterfaceQuery"; then echo "Failed to get jammer interface" > $FLUXIONOutputDevice return 1 fi - local selectedInterface=$FluxionInterfaceSelected - else - local selectedInterface=$HandshakeSnooperUninitializedJammerInterface - unset HandshakeSnooperUninitializedJammerInterface + HandshakeSnooperJammerInterfaceOriginal=$FluxionInterfaceSelected fi + local selectedInterface=$HandshakeSnooperJammerInterfaceOriginal + if ! fluxion_allocate_interface $selectedInterface; then echo "Failed to allocate jammer interface" > $FLUXIONOutputDevice return 2 @@ -424,31 +424,6 @@ prep_attack() { IOUtilsHeader="handshake_snooper_header" - local -r attackPath="$FLUXIONPath/attacks/Handshake Snooper" - - # Attempt loading configuration if one is available. - # TODO: Enable this by removing extraneous " -a ! " when properly implemented. - if [ -f "$attackPath/attack.conf" ]; then - local choice=${1:+Y} - # TODO: This doesn't translate choices to the selected language. - while ! echo "$choice" | grep -q "^[ynYN]$" &> /dev/null; do - echo -ne "$FLUXIONVLine Would you like to repeat the last attack? [Y/n] " - read choice - if [ ! "$choice" ]; then break; fi - done - - if [ "${choice,,}" != "n" ]; then - local configuration - readarray -t configuration < <(more "$attackPath/attack.conf") - - HandshakeSnooperDeauthenticatorIdentifier=${configuration[0]} - HandshakeSnooperUninitializedJammerInterface=${configuration[1]} - HandshakeSnooperVerifierIdentifier=${configuration[2]} - HandshakeSnooperVerifierInterval=${configuration[3]} - HandshakeSnooperVerifierSynchronicity=${configuration[4]} - fi - fi - # Removed read-only due to local constant shadowing bug. # I've reported the bug, we can add it when fixed. local sequence=( @@ -463,15 +438,32 @@ prep_attack() { return 1 fi + HandshakeSnooperState="Ready" +} + +load_attack() { + local -r configurationPath=$1 + + local configuration + readarray -t configuration < <(more "$configurationPath") + + HandshakeSnooperDeauthenticatorIdentifier=${configuration[0]} + HandshakeSnooperJammerInterfaceOriginal=${configuration[1]} + HandshakeSnooperVerifierIdentifier=${configuration[2]} + HandshakeSnooperVerifierInterval=${configuration[3]} + HandshakeSnooperVerifierSynchronicity=${configuration[4]} +} + +save_attack() { + local -r configurationPath=$1 + # Store/overwrite attack configuration for pause & resume. # Order: DeauthID, JammerWI, VerifId, VerifInt, VerifSync - echo "$HandshakeSnooperDeauthenticatorIdentifier" > "$attackPath/attack.conf" - echo "$HandshakeSnooperJammerInterface" >> "$attackPath/attack.conf" - echo "$HandshakeSnooperVerifierIdentifier" >> "$attackPath/attack.conf" - echo "$HandshakeSnooperVerifierInterval" >> "$attackPath/attack.conf" - echo "$HandshakeSnooperVerifierSynchronicity" >> "$attackPath/attack.conf" - - HandshakeSnooperState="Ready" + echo "$HandshakeSnooperDeauthenticatorIdentifier" > "$configurationPath" + echo "$HandshakeSnooperJammerInterfaceOriginal" >> "$configurationPath" + echo "$HandshakeSnooperVerifierIdentifier" >> "$configurationPath" + echo "$HandshakeSnooperVerifierInterval" >> "$configurationPath" + echo "$HandshakeSnooperVerifierSynchronicity" >> "$configurationPath" } stop_attack() { diff --git a/fluxion.sh b/fluxion.sh index b235eb2..6a2a5ca 100755 --- a/fluxion.sh +++ b/fluxion.sh @@ -450,6 +450,22 @@ fluxion_handle_target_change() { FluxionTargetChannel=${targetInfo[2]} FluxionTargetSSIDClean=$(fluxion_target_normalize_SSID) + + if ! stop_attack; then + fluxion_conditional_bail "Target tracker failed to stop attack." + fi + + if ! load_attack "$FLUXIONPath/attacks/$FluxionAttack/attack.conf"; then + fluxion_conditional_bail "Target tracker failed to load attack." + fi + + if ! prep_attack; then + fluxion_conditional_bail "Target tracker failed to prep attack." + fi + + if ! fluxion_run_attack; then + fluxion_conditional_bail "Target tracker failed to start attack." + fi } # If target monitoring enabled, act on changes. @@ -1736,11 +1752,34 @@ fluxion_prep_attack() { # Check if attack provides tracking interfaces, get & set one. # TODO: Uncomment the lines below after implementation. - #if type -t attack_tracking_interfaces &> /dev/null; then - # if ! fluxion_target_set_tracker; then return 4; fi - #fi + if type -t attack_tracking_interfaces &> /dev/null; then + if ! fluxion_target_set_tracker; then return 4; fi + fi + + # If attack is capable of restoration, check for configuration. + if type -t load_attack &> /dev/null; then + # If configuration file available, check if user wants to restore. + if [ -f "$path/attack.conf" ]; then + local choice=${1:+Y} + # TODO: This doesn't translate choices to the selected language. + while ! echo "$choice" | grep -q "^[ynYN]$" &> /dev/null; do + echo -ne "$FLUXIONVLine Would you like to repeat the last attack? [Y/n] " + read choice + if [ ! "$choice" ]; then break; fi + done + + if [ "${choice,,}" != "n" ]; then + load_attack "$path/attack.conf" + fi + fi + fi if ! prep_attack; then return 5; fi + + # Save the attack for user's convenience if possible. + if type -t save_attack &> /dev/null; then + save_attack "$path/attack.conf" + fi } fluxion_run_attack() { From e31beafcbc1e15755816941c5ed60c3b3ff1d67c Mon Sep 17 00:00:00 2001 From: Matias Barcenas Date: Sun, 22 Apr 2018 22:59:16 -0500 Subject: [PATCH 3/5] Fixed potential restoration detection bug. Fixed a bug caused by not cleaning loaded restoration subroutines after attack. --- fluxion.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/fluxion.sh b/fluxion.sh index 6a2a5ca..f4eb34c 100755 --- a/fluxion.sh +++ b/fluxion.sh @@ -1715,10 +1715,14 @@ fluxion_unprep_attack() { IOUtilsHeader="fluxion_header" - # Remove any lingering targetting loaded subroutines + # Remove any lingering targetting subroutines loaded. unset attack_targetting_interfaces unset attack_tracking_interfaces + # Remove any lingering restoration subroutines loaded. + unset load_attack + unset save_attack + FluxionTargetTrackerInterface="" return 1 # Trigger another undo since prep isn't significant. From d41dd058299ec727744e44f0548a019bf58478e6 Mon Sep 17 00:00:00 2001 From: Matias Barcenas Date: Mon, 23 Apr 2018 00:18:12 -0500 Subject: [PATCH 4/5] Fixed restoration bug choice. --- fluxion.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/fluxion.sh b/fluxion.sh index f4eb34c..e2ead39 100755 --- a/fluxion.sh +++ b/fluxion.sh @@ -455,6 +455,10 @@ fluxion_handle_target_change() { fluxion_conditional_bail "Target tracker failed to stop attack." fi + if ! unprep_attack; then + fluxion_conditional_bail "Target tracker failed to unprep attack." + fi + if ! load_attack "$FLUXIONPath/attacks/$FluxionAttack/attack.conf"; then fluxion_conditional_bail "Target tracker failed to load attack." fi @@ -1764,7 +1768,7 @@ fluxion_prep_attack() { if type -t load_attack &> /dev/null; then # If configuration file available, check if user wants to restore. if [ -f "$path/attack.conf" ]; then - local choice=${1:+Y} + local choice="?" # TODO: This doesn't translate choices to the selected language. while ! echo "$choice" | grep -q "^[ynYN]$" &> /dev/null; do echo -ne "$FLUXIONVLine Would you like to repeat the last attack? [Y/n] " From f8f9bb70b6b84b7c21bb2d212331b489fd96f99f Mon Sep 17 00:00:00 2001 From: Matias Barcenas Date: Mon, 23 Apr 2018 00:19:14 -0500 Subject: [PATCH 5/5] Captive Portal target tracking implemented. --- attacks/Captive Portal/attack.sh | 99 +++++++++++++++++++++++------ attacks/Handshake Snooper/attack.sh | 3 +- 2 files changed, 83 insertions(+), 19 deletions(-) diff --git a/attacks/Captive Portal/attack.sh b/attacks/Captive Portal/attack.sh index eb10938..fda71f2 100755 --- a/attacks/Captive Portal/attack.sh +++ b/attacks/Captive Portal/attack.sh @@ -24,6 +24,8 @@ CaptivePortalGatewayNetwork=${CaptivePortalGatewayAddress%.*} # ============== < Captive Portal Subroutines > ============== # # ============================================================ # captive_portal_unset_jammer_interface() { + CaptivePortalJammerInterfaceOriginal="" + if [ ! "$CaptivePortalJammerInterface" ]; then return 1; fi CaptivePortalJammerInterface="" @@ -38,20 +40,18 @@ captive_portal_unset_jammer_interface() { captive_portal_set_jammer_interface() { if [ "$CaptivePortalJammerInterface" ]; then return 0; fi - - if [ ! "$CaptivePortalUninitializedJammerInterface" ]; then + if [ ! "$CaptivePortalJammerInterfaceOriginal" ]; then echo "Running get jammer interface." > $FLUXIONOutputDevice if ! fluxion_get_interface attack_targetting_interfaces \ "$CaptivePortalJammerInterfaceQuery"; then echo "Failed to get jammer interface" > $FLUXIONOutputDevice return 1 fi - local selectedInterface=$FluxionInterfaceSelected - else - local selectedInterface=$CaptivePortalUninitializedJammerInterface - unset CaptivePortalUninitializedJammerInterface + CaptivePortalJammerInterfaceOriginal=$FluxionInterfaceSelected fi + local selectedInterface=$CaptivePortalJammerInterfaceOriginal + if ! fluxion_allocate_interface $selectedInterface; then echo "Failed to allocate jammer interface" > $FLUXIONOutputDevice return 2 @@ -71,6 +71,8 @@ captive_portal_ap_interfaces() { } captive_portal_unset_ap_interface() { + CaptivePortalAccessPointInterfaceOriginal="" + if [ ! "$CaptivePortalAccessPointInterface" ]; then return 1; fi if [ "$CaptivePortalAccessPointInterface" = \ "${CaptivePortalJammerInterface}v" ]; then @@ -86,19 +88,18 @@ captive_portal_unset_ap_interface() { captive_portal_set_ap_interface() { if [ "$CaptivePortalAccessPointInterface" ]; then return 0; fi - if [ ! "$CaptivePortalUninitializedAccessPointInterface" ]; then + if [ ! "$CaptivePortalAccessPointInterfaceOriginal" ]; then echo "Running get ap interface." > $FLUXIONOutputDevice if ! fluxion_get_interface captive_portal_ap_interfaces \ "$CaptivePortalAccessPointInterfaceQuery"; then echo "Failed to get ap interface" > $FLUXIONOutputDevice return 1 fi - local selectedInterface=$FluxionInterfaceSelected - else - local selectedInterface=$CaptivePortalUninitializedAccessPointInterface - unset CaptivePortalUninitializedAccessPointInterface + CaptivePortalAccessPointInterfaceOriginal=$FluxionInterfaceSelected fi + local selectedInterface=$CaptivePortalAccessPointInterfaceOriginal + if ! fluxion_allocate_interface $selectedInterface; then echo "Failed to allocate ap interface" > $FLUXIONOutputDevice return 2 @@ -140,9 +141,15 @@ function captive_portal_unset_ap_service() { } function captive_portal_set_ap_service() { - if [ "$CaptivePortalAPService" ]; then return 0; fi + if [ "$CaptivePortalAPService" ]; then + if ! type -t ap_service_start; then + # AP Service: Load the service's helper routines. + source "lib/ap/$CaptivePortalAPService.sh" + fi + return 0 + fi if ! interface_is_wireless "$CaptivePortalAccessPointInterface"; then - return 0; + return 0 fi captive_portal_unset_ap_service @@ -205,9 +212,15 @@ captive_portal_unset_authenticator() { captive_portal_set_authenticator() { if [ "$CaptivePortalAuthenticatorMode" ]; then - echo "Captive Portal authentication mode is already set, skipping!" \ - > $FLUXIONOutputDevice - return 0 + case "$CaptivePortalAuthenticatorMode" in + "hash") + if [ "$CaptivePortalHashPath" ]; then + echo "Captive Portal authentication mode is already set, skipping!" \ + > $FLUXIONOutputDevice + return 0 + fi + ;; + esac fi captive_portal_unset_authenticator @@ -277,7 +290,7 @@ captive_portal_set_authenticator() { captive_portal_run_certificate_generator() { xterm -bg "#000000" -fg "#CCCCCC" \ -title "Generating Self-Signed SSL Certificate" -e openssl req \ - -subj '/CN=captive.router.lan/O=CaptivePortal/OU=Networking/C=US' \ + -subj '/CN=captive.gateway.lan/O=CaptivePortal/OU=Networking/C=US' \ -new -newkey rsa:2048 -days 365 -nodes -x509 \ -keyout "$FLUXIONWorkspacePath/server.pem" \ -out "$FLUXIONWorkspacePath/server.pem" @@ -299,7 +312,10 @@ captive_portal_unset_certificate() { # Create Self-Signed SSL Certificate captive_portal_set_certificate() { - if [ "$CaptivePortalSSL" ]; then + if [ \ + "$CaptivePortalSSL" = "disabled" -o \ + "$CaptivePortalSSL" = "enabled" -a \ + -f "$FLUXIONWorkspacePath/server.pem" ]; then echo "Captive Portal SSL mode already set to $CaptivePortalSSL!" \ > $FLUXIONOutputDevice return 0 @@ -323,6 +339,18 @@ captive_portal_set_certificate() { return 0 fi + + # Check if we're restoring and we need to re-create certificate. + if [ "$CaptivePortalSSL" = "enabled" ]; then + if ! captive_portal_run_certificate_generator; then + fluxion_conditional_bail "cert-gen failed!" + return 2 + fi + CaptivePortalSSL="enabled" + return 0 + fi + + if [ "$FLUXIONAuto" ]; then CaptivePortalSSL="disabled" else @@ -1251,6 +1279,41 @@ prep_attack() { CaptivePortalState="Ready" } +load_attack() { + local -r configurationPath=$1 + + local configuration + readarray -t configuration < <(more "$configurationPath") + + CaptivePortalJammerInterfaceOriginal=${configuration[0]} + CaptivePortalAccessPointInterfaceOriginal=${configuration[1]} + CaptivePortalAPService=${configuration[2]} + CaptivePortalAuthenticatorMode=${configuration[3]} + CaptivePortalSSL=${configuration[4]} + CaptivePortalConnectivity=${configuration[5]} + CaptivePortalUserInterface=${configuration[6]} + + # Hash authenticator mode configuration. + CaptivePortalHashPath=${configuration[7]} +} + +save_attack() { + local -r configurationPath=$1 + + # Store/overwrite attack configuration for pause & resume. + # Order: JammerWI, APWI, APServ, AuthMode, SSL, Conn, UI + echo "$CaptivePortalJammerInterfaceOriginal" > "$configurationPath" + echo "$CaptivePortalAccessPointInterfaceOriginal" >> "$configurationPath" + echo "$CaptivePortalAPService" >> "$configurationPath" + echo "$CaptivePortalAuthenticatorMode" >> "$configurationPath" + echo "$CaptivePortalSSL" >> "$configurationPath" + echo "$CaptivePortalConnectivity" >> "$configurationPath" + echo "$CaptivePortalUserInterface" >> "$configurationPath" + + # Hash authenticator mode configuration. + echo "$CaptivePortalHashPath" >> "$configurationPath" +} + stop_attack() { # Attempt to find PIDs of any running authenticators. local authenticatorPID=$(ps a | grep -vE "xterm|grep" | grep captive_portal_authenticator.sh | awk '{print $1}') diff --git a/attacks/Handshake Snooper/attack.sh b/attacks/Handshake Snooper/attack.sh index 4788292..d000bb4 100755 --- a/attacks/Handshake Snooper/attack.sh +++ b/attacks/Handshake Snooper/attack.sh @@ -222,9 +222,10 @@ handshake_snooper_set_deauthenticator_identifier() { } handshake_snooper_unset_jammer_interface() { + HandshakeSnooperJammerInterfaceOriginal="" + if [ ! "$HandshakeSnooperJammerInterface" ]; then return 1; fi HandshakeSnooperJammerInterface="" - HandshakeSnooperJammerInterfaceOriginal="" # Check if we're automatically selecting the interface & skip # this one if so to take the user back properly.